Certainly, we can’t afford to sit back and wait to react to the next attack…damage control and remediation is much harder than getting out in front of the problem in the first place.

Prevention and deterrence is really the only solution…keep the hackers out and make sure they know that if they mess with us and our systems that we can identify who they are, find them, and take them out.

These are the capabilities we need and must employ to dominate the cyber realm.

A lot has been made and should be made of the theft of over 21 million federal employees’ sensitive personnel records and security clearances.

Everyone rightly, although somewhat selfishly, is worried about identity theft and the compromised privacy of their information.

The government is worried about hostile nation states using the pilfered information to bribe or coerce military, intelligence, high-level politicals, and others to turn and work for them or otherwise to use against them.

But what is grossly missing in this discussion is not what information presumably the Chinese stole and how they will use it against us, but rather what information they inserted, altered, or otherwise compromised into the OPM personnel and security databases when they got root access to it.

Imagine for a moment what could hostile nations or terrorists can do to this crown jewel database of personnel and security information:

– They could insert phony records for spies, moles, or other dangerous persons into the database–voila, these people are now “federal employees” and perhaps with stellar performance records and high level security clearances able to penetrate the depths of the federal government with impunity or even as superstars!

– They could alter personnel or security records taking prominent or good government employees and sabotaging them to have questionable histories, contacts, financial, drug or criminal problems and thereby frame or take-down key government figures or divert attention from the real bad guys out there and tie our homeland security and law enforcement establishment in knots chasing after phony leads and false wrongdoers and villains.

Given that the timeline of the hack of OPM goes back to March and December 2014, this was more than enough time for our adversary to not only do to our data what they want, but also for the backup tapes to be affected by the corrupt data entering the system.

The damage done to U.S. national security is unimaginable. As is typically the case with these things, “An ounce of prevention is worth a pound of cure.” Instead of investing in security, now we can invest in “credit monitoring and identity theft protection” for a very sparse three years, while federal employees will go a lifetime in information jeopardy, and the federal government will be literally chasing its tail on personnel security for decades to come.

With the price so low to our adversaries in attacking our systems, it truly is like stealing and much more. 😉

In fact, just today the Wall Street Journal reported that Iran has hacked into the Navy’s unclassified network.

While we can fix the computers that were attacked, the damage done in terms of data exfiltration and malware infiltration is another matter.

To fix the computers, we can wipe them, swap out the drives, or actually replace the whole system.

But the security breaches still often impose lasting damage, since you can’t get the lost data or privacy information back or as they say “put the genie back in the bottle.”

Also, you aren’t always aware of hidden malware that can lie dormant, like a trojan horse, nor can you immediately contain the damage of a spreading computer virus, such as a zero-day attack.

According to Federal Times, on top of more traditional IT security precautions (firewalls, antivirus, network scanning tools, security settings, etc.), many organizations are taking out cybersecurity insurance policies.

With insurance coverage, you transfer the risk of cybersecurity penetrations to cover the costs of compromised data and provide for things like “breach notification to victims, legal costs and forensics, and investigative costs to remedy the breach.”

Unfortunately, because there is little actuarial data for calculating risks, catastrophic events such as “cyber espionage and attacks against SCADA industrial controls systems are usually not covered.

DHS has a section on their website that promotes cybersecurity insurance where they state that the Department of Commerce views cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity,” because it promotes preventive measures and best practices in order to lower insurance premiums and limits company losses from an attack.

I really like the idea of cybersecurity insurance to help protect organizations from the impact of cybersecurity attacks and for promoting sound cybersecurity practices to begin with.

With cyber attacks, like with other catastrophes (fire, flood, accident, illness, and so on), we will never be able to fully eliminate the risks, but we can prepare ourselves by taking out insurance to help cover the costs of reconstituting and recovery.

Buying insurance for cybersecurity is not capitulating our security, but rather adding one more layer of constructive defense. 😉